Privacy Policy

1. Controller

Matthias Siano
Weizenkamp 2
22081 Hamburg, Germany
Email: [email protected]

2. Data We Process

3. Purposes & Legal Bases (GDPR)

• •Providing core app functionality (local step tracking, progress): Art. 6(1)(b) GDPR (performance of contract)
• •Social features (leaderboards, challenges): Art. 6(1)(b) GDPR; health data only after explicit consent (Art. 9(2)(a))
• •Processing step count on backend (when social enabled): Art. 9(2)(a) GDPR (explicit consent)
• •Crash & error diagnostics: Art. 6(1)(f) GDPR (legitimate interest in stability and security)
• •Support requests (replying to emails): Art. 6(1)(f) GDPR (legitimate interest in user support)
• •Legal compliance & security: Art. 6(1)(c)/(f) GDPR

You can withdraw consent at any time in the app settings; this does not affect prior lawful processing.

4. Data Retention

• •Account & step data (social backend): Automatically deleted or anonymized after max. 60 days of inactivity or immediately when you delete your account
• •Local-only data: Stored only on your device and removed when you uninstall the app
• •Crash diagnostics: Retained only as long as needed for troubleshooting (typically less than 90 days)
• •Support emails: Deleted after resolution, latest within 6 months

5. Hosting & Processing

Backend (social feature database) is hosted on Supabase (Frankfurt, Germany / EU). No transfer to non-EU/EEA countries. A Data Processing Agreement (Art. 28 GDPR) is in place with Supabase.

6. Data Sharing

We do not sell or share your data for advertising or profiling. Data is only processed by essential infrastructure providers (e.g. hosting, crash diagnostics) bound by contractual safeguards.

7. Your Rights (GDPR)

Exercise your rights anytime via [email protected]. For account deletion use the in-app function or email us.

8. Consent for Health (Step) Data

Step counts qualify as health-related data in context. We only process them on the backend for social features after your explicit opt-in. You can revoke consent anytime in settings; backend copies are then deleted (or queued for purge) and only local tracking remains.

9. Security

We apply industry-standard safeguards (least privilege access, encrypted transport (HTTPS/TLS), role-based database policies). No system is 100% secure, but we continually improve safeguards and minimize stored data.

10. Changes

We may update this policy for feature or legal changes. The latest version is always available here. Material changes will be highlighted in-app before they take effect.

Supervisory Authority (Germany)

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For Hamburg users the competent authority is:

No Data Protection Officer (DPO) is appointed because the criteria of Art. 37 GDPR (large-scale monitoring / special categories) are not met.

Terms of Service - StepMat Social Features

• •Registration: Social features require a free account. Minimum age is 16 years.
• •Community Rules: No insults, harassment, hate, discriminatory content, spam, automated misuse, or falsified activity data.
• •Availability: We strive for high availability but do not guarantee uninterrupted uptime.
• •Liability: We are only liable for intent and gross negligence as permitted by applicable law.
• •Account Deletion: You can delete your account anytime in the app; associated backend data is removed immediately or within a short automated purge cycle.

Contact Us

Datenschutzhinweise (Kurzfassung auf Deutsch)